diff --git a/hosts/quitte/network.nix b/hosts/quitte/network.nix
index 7ec034d..9ca01f4 100644
--- a/hosts/quitte/network.nix
+++ b/hosts/quitte/network.nix
@@ -2,10 +2,10 @@
{
networking = {
# portunus module does weird things to this, so we force it to some sane values
- hosts = {
- "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
- "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
- };
+ # hosts = {
+ # "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
+ # "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
+ # };
hostId = "a71c81fc";
domain = "ifsr.de";
hostName = "quitte";
diff --git a/modules/core/podman.nix b/modules/core/podman.nix
index ad47b5b..625d25b 100644
--- a/modules/core/podman.nix
+++ b/modules/core/podman.nix
@@ -23,4 +23,4 @@
#docker-compose # start group of containers for dev
#podman-compose # start group of containers for dev
];
-}
\ No newline at end of file
+}
diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix
index f815530..d56106a 100644
--- a/modules/forgejo/default.nix
+++ b/modules/forgejo/default.nix
@@ -85,17 +85,16 @@ in
systemd.services.forgejo.preStart =
let
exe = lib.getExe config.services.forgejo.package;
- portunus = config.services.portunus;
- basedn = "ou=users,${portunus.ldap.suffix}";
+ basedn = "ou=users,dc=ifsr,dc=de";
ldapConfigArgs = ''
--name LDAP \
--active \
--security-protocol unencrypted \
- --host '${portunus.domain}' \
+ --host 'auth.ifsr.de' \
--port 389 \
--user-search-base '${basedn}' \
--user-filter '(&(objectClass=posixAccount)(uid=%s))' \
- --admin-filter '(isMemberOf=cn=admins,ou=groups,${portunus.ldap.suffix})' \
+ --admin-filter '(isMemberOf=cn=admins,ou=groups,dc=ifsr,dc=de)' \
--username-attribute uid \
--firstname-attribute givenName \
--surname-attribute sn \
diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix
index 5352ba1..acfc46e 100644
--- a/modules/hedgedoc.nix
+++ b/modules/hedgedoc.nix
@@ -54,9 +54,9 @@ in
# ldap auth
ldap = rec {
url = "ldap://localhost";
- searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
+ searchBase = "ou=users,dc=ifsr,dc=de";
searchFilter = "(uid={{username}})";
- bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
+ bindDn = "uid=search,${searchBase}";
bindCredentials = "\${LDAP_CREDENTIALS}";
useridField = "uid";
providerName = "iFSR";
diff --git a/modules/kanboard.nix b/modules/kanboard.nix
index 9edc86a..6b4841f 100644
--- a/modules/kanboard.nix
+++ b/modules/kanboard.nix
@@ -5,7 +5,7 @@ let
in
{
sops.secrets."kanboard_env" = { };
-
+
virtualisation.oci-containers = {
containers.kanboard = {
image = "ghcr.io/kanboard/kanboard:v1.2.36";
diff --git a/modules/ldap/default.nix b/modules/ldap/default.nix
index 85ba359..385e976 100644
--- a/modules/ldap/default.nix
+++ b/modules/ldap/default.nix
@@ -1,90 +1,175 @@
{ config, pkgs, system, ... }:
let
domain = "auth.${config.networking.domain}";
- seedSettings = {
- groups = [
- {
- name = "admins";
- long_name = "Portunus Admin";
- members = [ "admin" ];
- permissions.portunus.is_admin = true;
- }
- {
- name = "search";
- long_name = "LDAP search group";
- members = [ "search" ];
- permissions.ldap.can_read = true;
- }
- {
- name = "fsr";
- long_name = "Mitglieder des iFSR";
- }
- ];
- users = [
- {
- login_name = "admin";
- given_name = "admin";
- family_name = "admin";
- password.from_command = [
- "${pkgs.coreutils}/bin/cat"
- config.sops.secrets."portunus/admin-password".path
- ];
- }
- {
- login_name = "search";
- given_name = "search";
- family_name = "search";
- password.from_command = [
- "${pkgs.coreutils}/bin/cat"
- config.sops.secrets."portunus/search-password".path
- ];
- }
- ];
- };
+ # seedSettings = {
+ # groups = [
+ # {
+ # name = "admins";
+ # long_name = "Portunus Admin";
+ # members = [ "admin" ];
+ # permissions.portunus.is_admin = true;
+ # }
+ # {
+ # name = "search";
+ # long_name = "LDAP search group";
+ # members = [ "search" ];
+ # permissions.ldap.can_read = true;
+ # }
+ # {
+ # name = "fsr";
+ # long_name = "Mitglieder des iFSR";
+ # }
+ # ];
+ # users = [
+ # {
+ # login_name = "admin";
+ # given_name = "admin";
+ # family_name = "admin";
+ # password.from_command = [
+ # "${pkgs.coreutils}/bin/cat"
+ # config.sops.secrets."portunus/admin-password".path
+ # ];
+ # }
+ # {
+ # login_name = "search";
+ # given_name = "search";
+ # family_name = "search";
+ # password.from_command = [
+ # "${pkgs.coreutils}/bin/cat"
+ # config.sops.secrets."portunus/search-password".path
+ # ];
+ # }
+ # ];
+ # };
in
{
- sops.secrets = {
- "portunus/admin-password".owner = config.services.portunus.user;
- "portunus/search-password".owner = config.services.portunus.user;
- };
+ # sops.secrets = {
+ # "portunus/admin-password".owner = config.services.portunus.user;
+ # "portunus/search-password".owner = config.services.portunus.user;
+ # };
- services.portunus = {
+ # services.portunus = {
+ # enable = true;
+ # package = pkgs.portunus.overrideAttrs (_old: {
+ # patches = [
+ # ./0001-update-user-validation-regex.patch
+ # ./0002-both-ldap-and-ldaps.patch
+ # ./0003-gecos-ascii-escape.patch
+ # ./0004-make-givenName-optional.patch
+ # ];
+ # doCheck = false; # posix regex related tests break
+ # });
+
+ # inherit domain seedSettings;
+ # port = 8681;
+ # ldap = {
+ # suffix = "dc=ifsr,dc=de";
+ # searchUserName = "search";
+
+ # # normally disables port 389 (but not with our patch), use 636 with tls
+ # # `portunus.domain` resolves to localhost
+ # tls = true;
+ # };
+ # };
+ services.openldap = {
enable = true;
- package = pkgs.portunus.overrideAttrs (_old: {
- patches = [
- ./0001-update-user-validation-regex.patch
- ./0002-both-ldap-and-ldaps.patch
- ./0003-gecos-ascii-escape.patch
- ./0004-make-givenName-optional.patch
- ];
- doCheck = false; # posix regex related tests break
- });
+ urlList = [ "ldap:///" "ldaps:///" ];
+ settings = {
+ attrs = {
+ olcLogLevel = "conns";
- inherit domain seedSettings;
- port = 8681;
- ldap = {
- suffix = "dc=ifsr,dc=de";
- searchUserName = "search";
+ olcTLSCACertificateFile = "/var/lib/acme/${domain}/full.pem";
+ olcTLSCertificateFile = "/var/lib/acme/${domain}/cert.pem";
+ olcTLSCertificateKeyFile = "/var/lib/acme/${domain}/key.pem";
+ # olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
+ olcTLSCRLCheck = "none";
+ olcTLSVerifyClient = "never";
+ olcTLSProtocolMin = "3.1";
- # normally disables port 389 (but not with our patch), use 636 with tls
- # `portunus.domain` resolves to localhost
- tls = true;
+ };
+ children = {
+ "cn=schema".includes = [
+ "${pkgs.openldap}/etc/schema/core.ldif"
+ # attributetype ( 9999.1.1 NAME 'isMemberOf'
+ # DESC 'back-reference to groups this user is a member of'
+ # SUP distinguishedName )
+ "${pkgs.openldap}/etc/schema/cosine.ldif"
+ "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+ "${pkgs.openldap}/etc/schema/nis.ldif"
+ # "${pkgs.writeText "openssh.schema" ''
+ # attributetype ( 9999.1.2 NAME 'sshPublicKey'
+ # DESC 'SSH public key used by this user'
+ # SUP name )
+ # ''}"
+ ];
+
+ "olcDatabase={1}mdb" = {
+ attrs = {
+ objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+ olcDatabase = "{1}mdb";
+ olcDbDirectory = "/var/lib/openldap/data";
+
+ olcSuffix = "dc=ifsr,dc=de";
+
+ /* your admin account, do not use writeText on a production system */
+ olcRootDN = "cn=portunus,dc=ifsr,dc=de";
+ olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
+
+ olcAccess = [
+ /* custom access rules for userPassword attributes */
+ ''{0}to attrs=userPassword
+ by self write
+ by anonymous auth
+ by * none''
+
+ /* allow read on anything else */
+ ''{1}to *
+ by dn.base="cn=portunus,dc=ifsr,dc=de" write
+ by group.exact="cn=portunus-viewers,dc=ifsr,dc=de" read
+ by self read
+ by anonymous auth
+ ''
+ ];
+ };
+ children = {
+ "olcOverlay={2}memberof".attrs = {
+ objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
+ olcOverlay = "{2}memberof";
+ olcMemberOfRefInt = "TRUE";
+ olcMemberOfDangling = "ignore";
+ olcMemberOfGroupOC = "groupOfNames";
+ olcMemberOfMemberAD = "member";
+ olcMemberOfMemberOfAD = "memberOf";
+ };
+ };
+ };
+ };
};
};
+ systemd.services.openldap = {
+ wants = [ "acme-${domain}.service" ];
+ after = [ "acme-${domain}.service" ];
+ };
+ # security.acme.defaults.group = "certs";
+ # users.groups.certs.members = [ "openldap" ];
+ # certificate permissions
+ users.users.openldap.extraGroups = [ "nginx" ];
+
security.pam.services.sshd.makeHomeDir = true;
services.nginx = {
enable = true;
- virtualHosts."${config.services.portunus.domain}" = {
- locations = {
- "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
- };
+ virtualHosts."${domain}" = {
+ # locations = {
+ # "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
+ # };
};
};
networking.firewall = {
extraInputRules = ''
- ip saddr { 141.30.86.192/26, 141.76.100.128/25, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
+ ip saddr { 141.30.86.192/26, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
'';
};
}
diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix
index f21db85..d4ca31f 100644
--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@@ -96,22 +96,21 @@ in
extraConfigFiles = [
(pkgs.writeTextFile {
name = "matrix-synapse-extra-config.yml";
- text = let portunus = config.services.portunus; in
- ''
- modules:
- - module: ldap_auth_provider.LdapAuthProviderModule
- config:
- enabled: true
- uri: ldap://localhost
- base: ou=users,${portunus.ldap.suffix}
- # taken from kaki config
- attributes:
- uid: uid
- mail: uid
- name: cn
- bind_dn: uid=search,ou=users,${portunus.ldap.suffix}
- bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
- '';
+ text = ''
+ modules:
+ - module: ldap_auth_provider.LdapAuthProviderModule
+ config:
+ enabled: true
+ uri: ldap://localhost
+ base: ou=users,dc=ifsr,dc=de
+ # taken from kaki config
+ attributes:
+ uid: uid
+ mail: uid
+ name: cn
+ bind_dn: uid=search,ou=users,dc=ifsr,dc=de
+ bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
+ '';
})
];
};
diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 5688d47..ac11e63 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -59,7 +59,7 @@ in
occ = lib.getExe config.services.nextcloud.occ;
ldapConfig = rec {
ldapAgentName = "uid=search,ou=users,${ldapBase}";
- ldapBase = config.services.portunus.ldap.suffix;
+ ldapBase = "dc=ifsr,dc=de";
ldapBaseGroups = "ou=groups,${ldapBase}";
ldapBaseUsers = "ou=users,${ldapBase}";
ldapConfigurationActive = "1";